Security updates for all active release lines, September 2016

by Rod Vagg, 2016-09-23

(Update 27-September-2016) Releases available

Updates are now available for all active Node.js release lines. These include the recently published versions of OpenSSL 1.0.1 and 1.0.2 as well as fixes for some Node.js-specific security-related defects.

The OpenSSL security fixes included in these updates that impact Node.js are:

Additionally, OpenSSL 1.0.2j was released yesterday and included a fix for CVE-2016-7052. This flaw was introduced in last week's 1.0.2i release, and therefore does not directly impact Node.js.

Node.js-specific security flaws

Also included, are a number of fixes unrelated to the recent OpenSSL releases.

CVE-2016-7099: Wildcard certificates not properly validated

This is a high severity defect that would allow a malicious TLS server to serve an invalid wildcard certificate for its hostname and be improperly validated by a Node.js client. This is due to a flaw in the validation of *. in the wildcard name string.

Originally reported by Alexander Minozhenko and James Bunton (Atlassian).

This is a low severity security defect that that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead() on an HTTP response, a new-line character may be used to inject additional responses.

The fix for this defect introduces a new case where throw may occur when configuring HTTP responses. Users should already be adopting try/catch here.

This was originally reported independently by Evan Lucas and Romain Gaucher.

All versions of Node.js are affected.

Remove support for loading dynamic third-party engine modules

This is a low severity security defect. By default, OpenSSL will load a list of third-party engine modules when the ENGINE_load_builtin_engines() function is used. These are normally not present on a user's system. An attacker may be able to make Node.js load malicious code by masquerading it as one of the dynamic engine modules.

This defect primarily impacts Windows due to the standard DLL search paths. However, UNIX users may also be at risk with a poorly configured LD_LIBRARY_PATH environment variable or /etc/ld.so.conf path list.

Downloads

Please note that this may be the final release of the v0.10 line as support ends in October. Please upgrade to v4 or above if you have not already done so.

Original post is included below

The Node.js project has scheduled updates for all of its active release lines to patch a number of security flaws. These flaws include some of those announced by the OpenSSL project as well as a number of Node.js-specific issues. We do not consider any of these updates to be critical. However, it is strongly recommended that all production instances of Node.js be upgraded when the releases are made available.

We intend to make releases available on or soon after the evening of Tuesday, the 27th of September, 2016, UTC (midday US time).

We consider some of the patches in these releases to be API breaking changes which would normally warrant an increase in the major-version number of Node.js. However, in accordance with our security procedures, we will be delivering these changes in minor-version increases (the y in x.y.z) where appropriate, and patch-version increases in v0.10 an v0.12 releases.

These are the expected version numbers for the releases:

Node.js v6.7.0 (Current)

Node.js v4.6.0 (LTS "Argon")

Node.js v0.12.16 (Maintenance)

Node.js v0.10.47 (Maintenance)

Additional notes:

As per our LTS schedule, support for Node.js v0.10 will cease in October. Therefore, this may be the final release of Node.js v0.10. If you are still using v0.10 in production, it is essential that you plan for a migration to v4 (LTS "Argon") or v6 (LTS to be announced in October) as soon as possible.

In accordance with our security release procedures, we will be limiting changes included in the LTS and Maintenance lines (v4, v0.12, and v0.10) for these updates to only security-related and other critical fixes that provide for maximum stability for users.

Node.js-specific security flaws

Included in these releases will be a number of fixes unrelated to the recent OpenSSL releases. These include:

A high-severity flaw relating to the processing of TLS certificates, impacting all versions of Node.js

A low-severity native code injection vulnerability on Windows, impacting all versions of Node.js

A low-severity HTTP validation error, impacting all versions of Node.js

Full disclosure of fixed vulnerabilities will be provided after all releases are made available for download.

September OpenSSL Releases

The OpenSSL project has announced the general availability of versions 1.0.2i (to be included in Node.js v4 and above) and 1.0.1u (to be included in Node.js v0.10 and v0.12). Our crypto team (Shigeki Ohtsu, Fedor Indutny, and Ben Noordhuis) have performed an analysis of the defects addressed in the OpenSSL releases to determine their impact on Node.js. The results of this analysis are included below.

SWEET32 is a new attack on older block cipher algorithms that use a block size of 64 bits.

As mitigation, OpenSSL has moved DES-based ciphers from the HIGH to MEDIUM group. As Node.js includes HIGH, but not MEDIUM, in its default suite, affected ciphers are no longer included unless the default suite is not used. Node's default TLS cipher suite can be found in the API documentation.

Assessment: All versions of Node.js are affected by this vulnerability.

An overflow can occur in MDC2_Update() under certain circumstances resulting in an out of bounds (OOB) error. This attack is impractical on most platforms due to the size of data required to trigger the OOB error.

Node.js is impacted by this flaw but due to the impracticalities of exploiting it and the very low usage of of MDC-2, it is very low severity for Node.js users.

Assessment: All versions of Node.js are affected by this vulnerability.

An out of bounds (OOB) write can occur in BN_bn2dec() if an application uses this function with an overly large BIGNUM. TLS is not affected because record limits will reject an oversized certificate before it is parsed.

Assessment: All versions of Node.js are believed to be unaffected by this vulnerability.

A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

This is very low severity for Node.js users due to the difficulty in taking advantage of this attack and because DSA is very rarely used.

Assessment: All versions of Node.js are affected by this vulnerability.

In a DTLS connection where handshake messages are delivered out-of-order, those messages that OpenSSL is not yet ready to process will be buffered for later use. This can be exploited to cause a denial of service (DoS) via memory exhaustion.

As Node.js does not support DTLS, users are not impacted by this flaw.

Assessment: All versions of Node.js are believed to be unaffected by this vulnerability.

A flaw in the DTLS replay attack protection mechanism that would allow an attacker to force a server to drop legitimate packets for a DTLS connection, resulting in a denial of service (DoS) for that connection.

As Node.js does not support DTLS, users are not impacted by this flaw.

Assessment: All versions of Node.js are believed to be unaffected by this vulnerability.

Some missing message length checks can result in out of bounds (OOB) reads of up to 2 bytes beyond an allocated buffer. There is a theoretical denial of service (DoS) risk. This only impacts a client or a server which enables client authentication.

Node.js is impacted by this low severity flaw.

Assessment: All versions of Node.js are affected by this vulnerability.